srcid on OpenBSD

Eric Pancer epancer at pobox.com
Fri Mar 14 15:08:18 EDT 2008 

IP addresses are available.

xlog$ ra -s +2srcid -r 14/argus.2008.03.14.14.00.00 - con|head -1
   14:00:00.000000  e          172.18.103.12    tcp
172.24.103.12.ssh      <?>    172.19.223.223.26049        36
4931   CON


The sourceid is 172.18.103.12


On Fri, Mar 14, 2008 at 2:00 PM, Mark Bartlett <mabartle at gmail.com> wrote:
> In the ra Man page it states:
>
> srcid argusid
>               True  if the argus identifier field in the Argus record is
> srcid, which
>               may be an IP address, a name or a decimal/hexidecimal number.
>
>
> Radium Man states:
>
>  -e   <value> Specify the source identifier for this radium.  Acceptable
> values
>             are numbers, hostnames or ip address.
>
> Argus Man States:
>
>  -e   <value>  Specify the source identifier for this argus.  Acceptable
> values
>              are numbers, hostnames or ip address.
>
> Carter, is there any way we can have that field be:
>
>  an IP Address (like you have),
> a number (any number, ie 23417, I would like to set the Monitor ID to a
> number that correlates with an IDS Sensor I have, each IDS I have has a
> unique ID for it, would be nice to be able to correlate that data. Argus vs.
> IDS)
> hostname (like you have)
> or just a name (ie. TestLabProbe)In my environment an IP Address doesn't
> mean much to me, I might have multiple ARGUS sensors out in multiple private
> networks (so they all might have a 192.168.x.x address), so what happens if
> I have 2 sensors in 2 different private networks with the same IP
> (192.168.50.33) would be hard to differentiate between the two...
>
> Thanks.
>
> Bartola
>
>
>
>
>
> On Fri, Mar 14, 2008 at 12:52 PM, Eric Pancer <epancer at pobox.com> wrote:
> > On Fri, 2008-03-14 at 12:45:40 -0400, Mark Bartlett proclaimed...
> >
> >
> > >    Can you give me an example of what you are using for your SRCID?  I
> > >    put the following:
> >
> > Sure..
> >
> > $ grep MONITOR /etc/argus.conf
> > ARGUS_MONITOR_ID=172.12.4.14
> >
> > $ grep MONITOR /etc/radium.conf
> > RADIUM_MONITOR_ID=172.12.4.15
> >
> > >    ARGUS_MONITOR_ID=33  and I get this in the srcid field = [1]0.0.0.33
> > >    If I put this:
> > >    '
> > >    ARGUS_MONITOR_ID=12345 I get this, [2]0.0.48.57
> >
> > >    If I try this:
> > >    ARGUS_MONITOR_ID='argus-server-test'
> > >    I get an error on start:  ArgusError: argus[5150]: 14 Mar 08
> > >    16:34:28.916521 ArgusParseResourceFile(/etc/argus.conf) syntax error
> > >    line 76
> > >    If I try this (No quotes):
> > >    ARGUS_MONITOR_ID=argus-server-test
> > >    Now the srcid is the IP address of argus-server-test defined in the
> > >    /etc/hosts file...
> > >    Just trying to get an example of 'how' people are using this srcid
> > >    (ARGUS_MONITOR_ID) field, and how it is 'supposed' to be used...
> > >    thanks.
> >
> > I believe the value needs to be a numeric value. See the man page as it's
> > well defined.
> >
> > - Eric
> >
>
>



-- 
Eric

More information about the argus mailing list